When we browse the web, who can see what we're reading? Who can see the text we type into forms?
With standard HTTP, many people can: attackers intercepting packets, ISPs monitoring traffic, government agencies tapping into the fiber cables that make up the backbone of the Internet. Using well-known exploits, they can read the contents of every website and even inject their own contents.
That's why websites increasingly use HTTPS (Hypertext Transfer Protocol Secure) to protect the privacy of their users and prevent tampering. HTTPS is also known as HTTP over TLS, because it's implemented by encrypting HTTP requests and responses with the TLS protocol.
An HTTPS connection starts with the URL in the address bar. Standard HTTP connections have URLs that start with "http://". Secure HTTP connections have URLs that start with "https://".
⬆ Take a look at the address bar now. You should see a URL that starts with "https://www.khanacademy.org/". If it starts with "khanacademy.org/", try double clicking the address bar to see the full URL.
Of course, most users will just type the domain, like "khanacademy.org". Savvy users might even type a URL like "http://khanacademy.org". When a website supports HTTPS and wants to make sure that all of its users are served a secure connection, it should redirect all requests to the HTTPS version of their site.
🔍 Try typing in a few URLs of your favorite sites in a new tab and inspect the final URL in the address bar once the website loads. Did any of them redirect to HTTPS? Are any of them using HTTP that you really wish would use HTTPS?
When the browser loads a URL that starts with "https", it begins the process of setting up a secure connection over TLS. (Need a refresher on the process? Review our TLS article.)
Early in that process, the browser must verify the digital certificate of the domain. There are many ways a certificate can be invalid, and browsers will often display certificate errors.
Here's what it looks like when Chrome discovers a certificate was issued by a certificate authority that it doesn't trust:
If the certificate is valid and everything else goes smoothly in the TLS setup, most browsers will display a lock in the address bar. That lock indicates a secured connection over HTTPS.
Here's the lock icon for Firefox:
Clicking that lock icon yields even more information about the site's security:
The benefits of HTTPS
An HTTPS connection ensures that only the browser and the secured domain see the data in HTTP requests and responses. Onlookers can still see that a particular IP address is communicating with another domain/IP and they can see how long that connection lasts. But those onlookers can't see the content of the communication, which includes the full URL path, the webpage HTML, and any text submitted in forms. Right now, an onlooker may know you're visiting khanacademy.org, but they don't know you're reading an article about HTTPS.
HTTPS also prevents tampering of website content. When a website is secured over a standard HTTP connection, the packets can be intercepted and their contents replaced. If an attacker or even a government agency intercepts visits to a news site, they can easily serve up fake news. TLS includes a mechanism to detect packet alterations, so HTTPS connections are resistant to tampering.
Many organizations believe that every website should serve all connections over HTTPS, due to the massive benefits. As of February 2019, around half of the top million websites use HTTPS by default. Will that ever reach 100%? You can help us get there by asking your favorite websites to use HTTPS or becoming a security-savvy web developer yourself.
Want to join the conversation?
- Ummm…Can somebody explain the benefits of https easily?(4 votes)
- HTTPS is an extension of HTTP that allows for more secure network communication. HTTPS encrypts data in transit and helps to fend against both man-in-the-middle attacks and eavesdropping attacks.
The benefit is the increased security of the communication (HTTPS is used for the Internet, which billions of users interact with); if you send your credit card information across the Internet to an ecommerce website when making a purchase, you would want that information to be obscured for those attempting to intercept it. HTTPS helps you to achieve that obscurity.(8 votes)
- Can we manually set the browser to block all requests from a specific Website/Root CA?(3 votes)
- Yes, some browsers and devices allow you to set a custom list of trusted certificate authorities.(2 votes)
- I have completed every single exercise and video and mastery course and challenge of "internet safety" and mastered everything and have gotten a 92% mastered,why?(2 votes)
- How does http/https have anything to do with TLS? Because I think the article said that with https, you are on a TLS connection.(0 votes)
- With HTTP you are just sending standard HTTP requests and getting standard HTTP responses. With HTTPS you are implementing the TLS protocol on top of TCP/IP - meaning if the url has https at the start - you have that extra layer of security (which is TLS).(4 votes)
- Can you visit a site that does not use any form of http, but another system?(0 votes)
- You could use ftp for file transfer or you could use SMTP the simple mail protocol (or maybe POP3 another mail protocol). Or rather you probably use them without noticing.
Those protocols serve other functions than HTTP (file and mail transfer), but are obviously also important.
But to visit actual websites with your web browser, that's a job for HTTP.(3 votes)
- What are the pros and cons of http/https?(1 vote)
- @Prodigy6 said the pros. I'll say the cons.
HTTPS is slower, and uses more energy. Because of the initial RSA, it also uses more memory(2 votes)